Content delivery network encryption

ABSTRACT

A system and method for delivering content to end users encrypted within a content delivery network (CDN) for content originators is disclosed. CDNs transport content for content originators to end user systems in a largely opaque manner. Caches and origin servers in the CDN are used to store content. Some or all of the content is encrypted within the CDN. When universal resource indicators (URIs) are received from an end user system, the CDN can determine the key used to decrypt the content object within the CDN before delivery. Where there is a cache miss, an origin server can be queried for the content object, which is encrypted in the CDN.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.13/564,212 filed on Aug. 1, 2012, which is a continuation of U.S.application Ser. No. 13/245,673 filed on Sep. 26, 2011, which is acontinuation of U.S. application Ser. No. 12/573,542 filed on Oct. 5,2009, which claims the benefit of U.S. Application No. 61/102,809 filedOct. 3, 2008. This application is a continuation-in-part of U.S.application Ser. No. 13/945,664 filed on Jul. 18, 2013, which is acontinuation of U.S. application Ser. No. 13/245,861 filed on Sep. 27,2011, which is a continuation of U.S. application Ser. No. 12/723,533filed Mar. 12, 2010, which is claims the benefit of U.S. Application No.61/163,412 filed Mar. 25, 2009. This application is acontinuation-in-part of U.S. application Ser. No. 12/563,793 filed Sep.21, 2009, which claims the benefit of U.S. Application No. 61/098,530filed Sep. 19, 2008. Each of these references is hereby incorporated byreference in its entirety for all purposes.

BACKGROUND

This disclosure relates in general to content delivery networks (CDNs)and, but not by way of limitation, to delivery of content whileprotecting the content.

Content delivery networks (CDNs) are used by originators of content tooffload delivery of content objects. CDNs distribute edge serversthroughout the Internet that host and/or cache content for contentoriginators as a service. A content originator may overload theirservers provide poor quality of service (QoS) or worse without relianceon a CDN.

End users often are unaware that they are receiving their content from aCDN. Because the CDN are largely kept invisible to the end user, it isoften only URLs that are given to the CDN. The URLs are correlated to acontent object that is served from the CDN. Where a content object iscurrently missing from the part of the CDN receiving the request, otherportions of the CDN or the origin server can be queried for the contentobject.

CDNs typically service a large number of end user systems requestingcontent that content originators may want protected through the CDN.Bulk theft can happen if some or all of a CDN is compromised. Withhigh-definition video being delivered with CDNs, the threat of losingdigital copies in bulk would worry a content originator. Hacking byoutsiders and theft by insiders could result in loss of digital copiesof content objects.

SUMMARY

In one embodiment, the present disclosure provides for delivering videoand/or audio content to end users encrypted within a content deliverynetwork (CDN) for content originators. CDNs transport content forcontent originators to end user systems in a largely opaque manner.Caches and origin servers in the CDN are used to store content. Some orall of the video and/or content is encrypted within the CDN. Whenuniversal resource indicators (URIs) are received from an end usersystem, the CDN can determine the key used to decrypt the content objectwithin the CDN before delivery. Where there is a cache miss, an originserver can be queried for ,the content object, which is encrypted in theCDN.

In another embodiment, the present disclosure provides a method forprotecting content within a CDN that delivers content for contentoriginators. A URI specifying a content object is received. The URI isanalyzed to determine if the content object is protected with encryptionwithin the CDN. The content object is searched for within the CDN. Thecontent object is requested from an origin server when the contentobject cannot find the content object cached within the CDN. The URI isanalyzed to find a key from a number of keys. The key for the contentobject is retrieved. The content object is encrypted with the key tocreate an encrypted content object. The encrypted content object iscached in the CDN. The encrypted content object or a portion thereof isdecrypted with the key as the content object is passed to an end usercomputer.

In yet another embodiment, the present disclosure provides a CDN fordelivering content to end users encrypted within the CDN for contentoriginators. The CDN includes a key database comprising a number ofkeys, an interface to the Internet and an edge server comprising acontent database for caching content. The number of keys are indexed byinformation derivable from the URI information. A key is determined fromthe number of keys by analysis of a URI from an end user system. Theinterface requests the content object from an origin server. The CDNrequests content from origin servers when not cached in the CDN. Theedge server receives the URI specifying a content object. The edgeserver analyzes the URI to determine if the content object is protectedwith encryption within the CDN. The edge server stores the contentobject in the content database. The edge server decrypts the contentobject or a portion thereof with the key before delivery to an end user.

In still another embodiment, the present disclosure provides a CDN fordelivering content to end users encrypted within the CDN for contentoriginators. The CDN comprising: means for receiving a URI specifying acontent object; means for analyzing the URI to determine if the contentobject is protected with encryption within the CDN; means for searchingfor the content object within the CDN; means for requesting the contentobject from an origin server when the content object cannot find thecontent object cached within the CDN; means for analyzing the URI tofind a key from a number of keys; means for retrieving the key for thecontent object; means for encrypting the content object with the key tocreate an encrypted content object; means for caching the encryptedcontent object in the CDN; and means for decrypting the encryptedcontent object or a portion thereof with the key as the content objectis passed to an end user computer.

Further areas of applicability of the present disclosure will becomeapparent from the detailed description provided hereinafter. It shouldbe understood that the detailed description and specific examples, whileindicating various embodiments, are intended for purposes ofillustration only and are not intended to necessarily limit the scope ofthe disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is described in conjunction with the appendedfigures:

FIG. 1 depicts a block diagram of an embodiment of a contentdistribution system;

FIGS. 2A, 2B and 2C depict block diagrams of embodiments of a contentdelivery network (CDN);

FIG. 3 depicts a block diagram of an embodiment of an origin server;

FIG. 4 depicts a diagram of an embodiment of a content protectionscheme; and

FIG. 5 illustrates a flowchart of an embodiment of a process fordelivering a content object with a CDN while protecting the contentobject within the CDN.

In the appended figures, similar components and/or features may have thesame reference label. Further, various components of the same type maybe distinguished by following the reference label by a dash and a secondlabel that distinguishes among the similar components. If only the firstreference label is used in the specification, the description isapplicable to any one of the similar components having the same firstreference label irrespective of the second reference label.

DETAILED DESCRIPTION

The ensuing description provides preferred exemplary embodiment(s) only,and is not intended to limit the scope, applicability or configurationof the disclosure. Rather, the ensuing description of the preferredexemplary embodiment(s) will provide those skilled in the art with anenabling description for implementing a preferred exemplary embodiment.It being understood that various changes may be made in the function andarrangement of elements without departing from the spirit and scope asset forth in the appended claims.

Referring first to FIG. 1, a block diagram of an embodiment of a contentdistribution system 100 is shown. The content originator 106 offloadsdelivery of the content objects to a content delivery network (CDN) 110in this embodiment. The content originator 106 produces and/ordistributes content objects and includes a content provider 108, acontent site 116, and an origin server 112. The CDN 110 can both cacheand/or host content in various embodiments for third parties to offloaddelivery and typically provide better quality of service (QoS).

In this embodiment, the content distribution system 100 locates thecontent objects (or portions thereof) and distributes the contentobjects to an end user system 102. The content objects are dynamicallycached within the CDN 110 to improve the QoS. A content object is anycontent file or content stream and could include, for example, video,pictures, data, audio, software, and/or text. The content object couldbe live, delayed or stored. Throughout the specification, references maybe made to a content object, content, content stream and/or contentfile, but it is to be understood that those terms could be usedinterchangeably wherever they may appear.

Many content providers 108 use a CDN 110 to deliver the content objectsover the Internet 104 to end users 128. The CDN 110 includes a number ofpoints of presence (POPs) 120, which are geographically distributedthrough the content distribution system 100 to deliver content. Variousembodiments may have any number of POPs 120 within the CDN 110 that aregenerally distributed in various locations around the Internet 104 thatare proximate to end user systems 102. Multiple POPs use the same IPaddress such that an Anycast routing scheme is used to find a POP likelyto be close to the end user in a network sense for each request. Inaddition to the Internet 104, a wide area network (WAN) 114 or otherbackbone may couple the POPs 120 with each other and also couple thePOPs 120 with other parts of the CDN 110.

When an end user 128 requests a web page through its respective end usersystem 102, the request for the web page is passed either directly orindirectly via the Internet 104 to the content originator 106. Thecontent originator 106 is the source or re-distributor of contentobjects. The content site 116 is an Internet web site accessible by theend user system 102. In one embodiment, the content site 116 could be aweb site where the content is viewable with a web browser. In otherembodiments, the content site 116 could be accessible with applicationsoftware other than a web browser. The content provider 108 directscontent requests to a CDN 110 after they are made or formulates thedelivery path by embedding the delivery path into the URLs for a webpage. In any event, the request for content is handed over to the CDN110 in this embodiment by using an Anycast IP address corresponding totwo or more POPs 120.

Once the request for a content object is passed to the CDN 110, therequest is associated with a particular POP 120 within the CDN 110 usingthe Anycast routing scheme. The particular POP 120 may retrieve theportion of the content object from the content provider 108.Alternatively, the content provider 108 may directly provide the contentobject to the CDN 110 and its associated POPs 120 through prepopulation,i.e., in advance of the first request. In this embodiment, the contentobjects are provided to the CDN 110 and stored in one or more CDNservers such that the portion of the requested content may be servedfrom the CDN 110. The CDN servers include edge servers that actuallyserve end user requests. The origin server 112 holds a copy of eachcontent object for the content originator 106. Periodically, the contentof the origin server 112 may be reconciled with the CDN 110 through acache, hosting and/or pre-population algorithm. Some content providerscould use an origin server within the CDN 110 to host the content andavoid the need to maintain a copy.

Once the content object is retrieved, the content object is storedwithin the particular POP 120 and is served from that POP to the enduser system 102. The end user system 102 receives the content object andprocesses it for use by the end user 128. The end user system 102 couldbe a personal computer, media player, handheld computer, Internetappliance, phone, IPTV set top, streaming radio or any other device thatreceives and plays content objects. In some embodiments, a number of theend user systems 102 could be networked together. Although thisembodiment only shows a single content originator 106 and a single CDN110, it is to be understood that there could be many of each in variousembodiments.

Content can be protected during the distribution process. The contentoriginator 106 protects the content objects with encryption. Anencrypted link can be used between the content originator 106 and theCDN 110 when transferring the content object, which can be unencrypted.The CDN encrypts the content object upon receipt before hosting orcaching the content object. Decryption is performed before sending thecontent object or a portion thereof to an end user system 102. Anencrypted link can be used for the delivery or the content object couldbe encrypted, watermarked, fingerprinted, and/or have digital rightsmanagement (DRM) applied.

The content originator could encrypt the content object instead of or inaddition to use of an encrypted link when transferring content forhosting by the CDN or when there is a cache miss within the CDN. Eachcontent originator 106 could have a key that is known to both contentoriginator 106 and CDN 110. The various content originators 106 couldhave different unique keys that are used to decrypt the content objector portion thereof before sent to an end user system 102.

In another embodiment, the content originator 106 could interact with aCDN key database for a content object where there is a key unique toeach content object and content originator 106. An encrypted link wouldbe used when interacting between the content originator 106 and the CDNkey database. The content originator 106 requests a key that is used bythe content originator 106 to encrypt the content object before it issent to the CDN. The CDN uses the key when decrypting the content objector a portion thereof. A different embodiment could store the keys at thecontent originator 106 that are requested by the CDN when needed usingan encrypted link.

With reference to FIG. 2A, a block diagram of an embodiment of a CDN110-1 is shown. Although only one POP 120 is shown in detail, there area number of POPs 120 similarly configured throughout the CDN 110. ThePOPs communicate through a WAN 114 and/or the Internet 104 when locatingcontent objects. An interface to the Internet 104 to the POP 120 acceptsrequests for content objects from end user systems 102. The requestcomes from an Internet protocol (IP) address in the form of a universalresource indicator (URI). Switch fabric 240 assigns the request one ofthe edge servers 230 according to a routing scheme.

The edge server 230 assigned the content object request analyzes the URIto determine if it corresponds to an encrypted content object. Otherembodiments check a cache 232 of the edge server 230 and metadata, thefile system, a table or other methods can indicate that the contentobject referenced by the URI is protected in the cache with encryption.The encryption used in one edge server cache 232 can be different fromother edge server caches 232 in other POPs 120 or even in the same POP120.

In one embodiment, the URI is a request that indicates a file and anaddress and optionally an encryption variable to indicate if the file isencrypted. In another embodiment, the encryption variable is not withinthe URI, but the URI can be correlated to an encryption variable, whichindicates if the file is encrypted. Optionally, the URI can also includea path, origin location, variable(s), a prefix, etc. In some form, theURI is passed to various caches and/or host servers of the CDN 110 in anattempt to find a requested content object. It is to be understood thatwhen the term URI is used, it doesn't necessarily require any format andjust conveys at least where to find a content object.

The URI either has the encryption variable or can be otherwisecorrelated to an encryption variable. For example,ACME.llnw.net/videos/sports/game.mov?red5 is a URI with an ACME prefix,a llnw.net domain, a videos/sports path, a game.mov filename, and a red5encryption variable. The URI itself, the ACME prefix and/or red5 in thisexample could be used by edge servers 230 to determine if a contentobject is encrypted.

One embodiment hashes the URI or a portion of the URI. The hash is usedto query for parameters associated with the URI from a CDN key database236. Passing of keys to/from the CDN database 236 uses an encryptedchannel. Other embodiments could use other information from the URI toquery from the CDN key database 236, for example, the prefix ACME couldcorrespond to a key that is used for all content referenced with a URIhaving an ACME prefix. In various embodiments, there could be differentkeys for the content originator, content partner and/or another party inthe supply chain; the content object, its format, its bitrate, its size,and/or other attributes of the content object; the particular CDN, POP,cache server and/or edge server. For example, high-definition videocould be encrypted, but standard-definition content would not.

In some cases, the CDN 110 is used to host content for others. A securetransfer utility like S/FTP can be used to upload content to a CDNorigin server 248. The content object can be encrypted automatically andstored in the content database 252 after upload. In some embodiments,the content object is encrypted during the transfer in the key it willbe protected with within the CDN 110. The content originator 106 loadsthe content object into the CDN 110 and places the key or keys into theCDN key database 236. The keys are stored and indexed according to theway they will later be retrieved. For example, the hash of the URI isstored if the hash is later used to find the key when the URI isreceived.

Some embodiments could be encrypted in a number of keys successively.For example, a content object could be encrypted with a key for a CDNand then encrypted with a different key unique to an edge server.Decryption would require both keys to get the content object in theclear. Other embodiments could combine one or more keys and use thecombination as a new key to encrypt the content object such that bothwere required to get the content object in the clear.

Some embodiments pass the content object into and out of the CDN in anencrypted form or using an encrypted channel, socket or tunnel duringthe delivery process. When the cache(s) 232 of the CDN or the contentdatabase 252 do not hold a requested content object, it is retrievedfrom the origin server 112 of the content originator 106. Encryptedstreams using RTMPE, HTTP-S, RTMPS, or other protocols can be used toprotect a content object read from the content originator 106. Thecontent object would be encrypted and cached after it enters the CDN 110and the key would be stored in the CDN key database 236.

In some cases, the content originator 106 could encrypt the contentobject and provide the key to the CDN 110 after delivery so it can bedecrypted and encrypted in the key of the CDN 110. In one embodiment,the content object is left encrypted with the content originator key andencrypted again with the CDN key. The content originator key would bestored in the CDN key database 236 that that both decryptions could beperformed upon delivery of the content object to an end user.

The delivery to the end user system 102 could also be protected with anencrypted tunnel and/or encryption of the content object itself. Thisembodiment uses a watermark/digital rights management (DRM) function 244to protect the content object. A watermark embeds information about theend user system 102 into the content object by weaving it through thecontent object in a manner that does not reduce the quality appreciablyand is not easily removed. DRM generally protects access and use of thecontent object in conjunction with software on the end user system 102with rules enforced by the software. A fingerprint can also be used thatputs information into the content object as metadata.

Any or all of watermarking, fingerprinting and/or DRM can be used toprotect the content object in various embodiments. One a URL-by-URLbasis, these three protection mechanisms can be evoked. Information inthe URL or correlated to the URL can be placed into the content objector define the rules for the DRM. Information that might go into thefingerprint or watermark include IP address of the end user system,account number or other variable from URI, time and date of delivery,the URI or a portion thereof, a serial number unique to the particulardelivery, etc. The information embedded into a content object generallyallows later determining the end user system 102 and/or end user 128that received the content object.

Referring to FIG. 2B, a block diagram of an embodiment of a CDN 110-2 isshown. This embodiment differs from the embodiment of FIG. 2A by movingthe CDN key database 236 into the POP 120 and removing the watermark/DRMfunction 244. Each POP 120 could have its own CDN key database 236. AllPOPs 120 use different keys such that a compromise of one POP would notexpose the content on all POPs 120 in this embodiment. Other embodimentscould have the CDN key databases 236 in the various POPs 120 reconciledto contain the same keys. There could be different keys for each edgeserver 230, each content object, and/or each end user IP address tofurther compartmentalize the content.

With reference to FIG. 2C, a block diagram of an embodiment of a CDN110-3 is shown. This embodiment differs from the embodiment of FIG. 2Bin that there is a CDN key database 236 for each edge server. Thisembodiment has different keys for the same content object stored anumber of edge server caches 232. Compromise of the CDN key database 236for one edge server 230 would not expose the content on other edgeservers 230 to theft.

Referring to FIG. 3, a block diagram of an embodiment of an originserver 112 coupled to the Internet 104 is shown. Some contentoriginators 106 host their content in an origin sever 112, while othershost using the CDN origin server 248. The origin server includes aserver 304, an origin database 308 and an origin key database 312. Theserver 304 can serve content from the origin database 308 that may berequested by an end user system 102 or the CDN 110 on a cache miss. Inthis embodiment, content objects in origin database 308 are protectedwith encryption.

The origin key database 312 holds keys that protect the content objectsin the origin database 308. These same keys may be used within the CDNto protect content objects as they make their way to the end usercomputers 102 in one embodiment. The keys in the origin key database 312would be passed to the CDN key database(s) 236 using a secure channeland/or encryption. Where the origin server 112 directly delivers to theend user system 102 the content object could be decrypted as it isstreamed.

In another embodiment, the origin key database 312 has keys that areused in the origin server 112. Different keys are used in the CDN keydatabase(s) 236. Transfer of a content object involves decryption fromthe old key and encryption into the new key. The decryption could beperformed before the transfer to the CDN or afterward.

With reference to FIG. 4, a diagram of an embodiment of a contentprotection scheme 400 is shown. Content flows from one or more contentoriginators 106. The content originators 106 may encrypt some or all oftheir content objects. The content can be protected in a key of thecontent originator 106 or the CDN 110 or not encrypted at all. Anencrypted tunnel 404 is optionally used between the content originator106 and the CDN 110. Within the CDN 110, the content object isencrypted. Keys are discernable within the various caches and databasesof the CDN. Regardless of key, the caches can determine redundantcontent objects such that only one copy need be stored in encryptedform.

Content is requested from the CDN 110 and delivered to end user systems102. An encrypted tunnel is optionally used between the CDN 110 and theend user system 102. This embodiment does not encrypt the content objectsent to the end user, but other embodiments could encrypt the contentobject before passing it to the end user system 102. Watermarking,fingerprinting and/or DRM are used to protect the content object as itpasses to and is used by the end user system 102.

Referring to FIG. 5, a flowchart of an embodiment of a process 500 fordelivering a content object with a CDN while protecting the contentobject is shown. The depicted portion of the process 500 begins in block504 where the CDN 110 receives a request for a content object 504. TheURI is analyzed to determine if the content object is encrypted in block508. Other embodiments could find the content object and determine fromthe content object or a table if it were encrypted. In any event, thecontent object referenced in the URI is searched for within the CDN inblock 512. Depending on the content object, it could be cached and/orhosted.

Where the content object is found in the CDN in block 528, processingjumps to block 536 where the content object is decrypted with theappropriate key retrieved from the CDN or origin server. The end usersystem 102 (browser or otherwise) may request a range of bytes from thefile instead of the whole file at once. The edge server 230 can extractand decrypt an arbitrary range of bytes from the file without having todecrypt the entire file. Optionally, fingerprinting, watermarking and/orDRM can be added to the content object before delivery to the end usersystem 102. In block 540, the content object or portion thereof is sentto the end user system 102 optionally using an encrypted channel or withencryption of the content object.

Where the content object cannot be found within the CDN 110 in block528, processing continues to 516 to handle the cache miss. A source ofthe URI is determined in block 516 that could be an IP address alongwith other elements of a URI. The content object is requested form theorigin server in block 520. The origin server could decrypt and encryptthe content object for the key used in the CDN 110 or could rely uponthe CDN 110 for the encryption.

In block 524, the key is obtained from the CDN key database 236 and/ororigin key database 312. Before storing in a database or cache, thecontent object is encrypted with the key in block 528. The contentobject is stored in a cache of the CDN in block 532. Processingcontinues to blocks 536 and 540 where the content object is decryptedwith the key, protected and delivered as discussed above. The process500 then repeats for each content object request. In some cases, thecontent object is not encrypted and the cryptographic portions of theprocess 500 would not be performed.

A number of variations and modifications of the disclosed embodimentscan also be used. For example, some of the above embodiments protect theexchange between content originator and CDN, but it is to be understoodthat there could be any number of links in a chain between the contentoriginator and CDN each with the ability to encrypt content objects andtunnels while exchanging necessary keys.

While the principles of the disclosure have been described above inconnection with specific apparatuses and methods, it is to be clearlyunderstood that this description is made only by way of example and notas limitation on the scope of the disclosure.

1. (canceled)
 2. A content delivery network (CDN) having a plurality ofpoints of presence (POPs) distributed geographically, the CDNcomprising: a first key database, wherein: the first key database ispart of a first POP of the plurality of POPs; and the first key databasestores a first plurality of keys for decrypting content objects; a firstcache, wherein: the first cache is part of the first POP; and the firstcache stores a first encrypted version of a content object; a first edgeserver, wherein: the first edge server is part of the first POP; and thefirst edge server is configured to: receive a first request for thecontent object, wherein the first request is generated by a firstend-user system; retrieve a first key of the first plurality of keysfrom the first key database; decrypt at least a portion of the firstencrypted version of the content object using the first key to create afirst unencrypted object; and initiate delivery of the first unencryptedobject to the first end-user system over the Internet; a second keydatabase, wherein the second key database stores a second plurality ofkeys for decrypting content objects; a second cache, wherein the secondcache stores a second encrypted version of the content object; a secondedge server, the second edge server configured to: receive a secondrequest for the content object; retrieve a second key, wherein: thesecond key is retrieved from the second key database; and the second keyis one of the second plurality of keys; decrypt at least a portion ofthe second encrypted version of the content object using the second keyto create a second unencrypted object; and initiate delivery of thesecond unencrypted object to a second end-user system over the Internet.3. The CDN as recited in claim 2, wherein: the second edge server ispart of the first POP; and the second key database is part of the firstPOP.
 4. The CDN as recited in claim 2, wherein the second edge server ispart of a second POP of the plurality of POPs.
 5. The CDN as recited inclaim 2, wherein the second key database is part of a second POP of theplurality of POPS.
 6. The CDN as recited in claim 2, wherein the firstkey database and/or the second key database are indexed by informationderivable from information contained in a URI.
 7. The CDN as recited inclaim 2, further comprising a fingerprinting function that embeds asource Internet address into the content object.
 8. A method forprotecting content within a content delivery network (CDN) having aplurality of points of presence (POPs) distributed geographically, themethod comprising: receiving a first request for a content object;locating a first encrypted version of the content object at a first edgeserver, wherein the first edge server is part of a first POP of theplurality of POPs; retrieving a first key for the first encryptedversion of the content object, wherein the first key is located in afirst key database; receiving a second request for the content object;locating a second encrypted version of the content object at a secondedge server, wherein the second edge server is part of the CDN;retrieving a second key for the second encrypted version of the contentobject, wherein the second key is located in a second key database; anddecrypting at least a portion of the first encrypted version of thecontent object with the first key to create a first unencrypted object;initiating delivery of the first unencrypted object to a first end-usersystem; decrypting at least a portion of the second encrypted version ofthe content object with the second key to create a second unencryptedobject; and initiating delivery of the second unencrypted object to asecond end-user system.
 9. The method for protecting content within theCDN as recited in claim 8, wherein: the second edge server is part ofthe first POP; and the second key database is part of the first POP. 10.The method for protecting content within the CDN as recited in claim 8,wherein; the second edge server is part of a second POP of the pluralityof POPs; and the second key database is part of the second POP.
 11. Themethod for protecting content within the CDN as recited in claim 2,wherein the first key database and the second key database are part ofthe CDN.
 12. The method for protecting content within the CDN as recitedin claim 8, wherein: the first key database is outside the CDN; and thefirst key is passed to the CDN using a secure channel.
 13. The methodfor protecting content within the CDN as recited in claim 8, wherein thefirst request is received by the first edge server and the secondrequest is received by the second edge server.
 14. The method forprotecting content within the CDN as recited in claim 8, wherein: thefirst request includes a URI specifying the content object; and thefirst key is located by analyzing the URI.
 15. The method for protectingcontent within the CDN as recited in claim 14, further comprisingwatermarking the content object with a fingerprint that allowsdetermination of an IP address that the URI was requested from.
 16. Themethod for protecting content within the CDN as recited in claim 8,wherein the first end-user system is the same as the second end-usersystem.
 17. A memory device having instructions for protecting contentwithin a CDN having a plurality of points of presence (POPs) distributedgeographically, that when executed, cause one or more processors to:receive a first request for a content object; locate a first encryptedversion of the content object at a first edge server, wherein the firstedge server is part of a first POP of the plurality of POPs; retrieve afirst key for the first encrypted version of the content object, whereinthe first key is located in a first key database; receive a secondrequest for the content object; locate a second encrypted version of thecontent object at a second edge server, wherein the second edge serveris part of the CDN; retrieve a second key for the second encryptedversion of the content object, wherein the second key is located in asecond key database; and decrypt at least a portion of the firstencrypted version of the content object with the first key to create afirst unencrypted object; initiate delivery of the first unencryptedobject to a first end-user system; decrypt at least a portion of thesecond encrypted version of the content object with the second key tocreate a second unencrypted object; and initiate delivery of the secondunencrypted object to a second end-user system.
 18. The memory devicehaving instructions for protecting content within the CDN as recited inclaim 17, wherein: the second edge server is part of the first POP; andthe second key database is part of the first POP.
 19. The memory devicehaving instructions for protecting content within the CDN as recited inclaim 17, wherein: the second edge server is part of a second POP of theplurality of POPs; and the second key database is part of the secondPOP.
 20. The memory device having instructions for protecting contentwithin the CDN as recited in claim 17, wherein: the first requestincludes a URI specifying the content object; and the first key islocated by analyzing the URI.
 21. The memory device having instructionsfor protecting content within the CDN as recited in claim 20, whereinthe instructions further cause the one or more processors to watermarkthe first unencrypted object and/or the second unencrypted object with afingerprint that allows determination of an IP address that the URI wasrequested from.